Hill flunks govt. on IT security

Related Links

The government made little improvement in computer security in the third annual report card, issued at a House hearing last month by Rep. Steve Horn.

'I am disheartened to announce that again this year, the government has earned an overall grade of F,' said the California Republican, chairman of the House Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations. The report card was one of Horn's last duties in office before he retired.

Ouch, that hurts

Fourteen of the 24 major agencies received failing grades.

This year's top performer was the Social Security Administration; it climbed from a C+ to a B-. But last year's standout, the National Science Foundation, dropped from a B+ to a D-.

Despite more attention to IT security in the past year and pressure applied by the Office of Management and Budget under the Government Information Security Reform Act, both OMB and the General Accounting Office concluded that problems remain pervasive.

Robert F. Dacey, GAO's director of information security issues, said significant weaknesses continue at every reviewed agency in the area of program management.

At least 22 of 24 agencies had weak access control, 20 were lax in software change management and ensuring service continuity, and 17 had problems in segregation of duties and managing system software.

Dacey made four recommendations:

Clearly delineate the responsibilities of numerous bodies involved in security.

Get more technical expertise to select, implement and maintain IT controls.

Allocate sufficient agency resources.

Give more specific guidance about the controls agencies need to implement.

Mark Forman, OMB's associate director for IT and e-government, testified that his office has made progress in giving better guidance to agencies. The office refused funding for some fiscal 2003 budget requests because of inadequate security.

'There were a number of programs we put on the high-risk list,' Forman said. Agencies usually work to resolve such problems rather than give up the programs, he said.

Despite improvements in oversight, progress has been less than stellar.

'Many agencies find themselves with the same security weaknesses year after year,' Forman said. 'They lack system-level security plans and certifications.' Many agencies also seek funds for new systems before fixing problems in existing systems, he added.

Officials of the top-scoring agency'Social Security'and the bottom'Transportation'agreed on one point. 'Securing computer systems still depends on sound management, not technical solutions,' said Transportation IG Kenneth M. Mead.

Forman said, 'Where we have seen progress, there has been clear action taken to empower the CIO. Transportation is one where there is a less-than-powerful CIO.'

In fact, 'Transportation does not have a CIO,' Mead said. The department has had a permanent CIO for only 18 months since 1996.

Even when the position is filled, 'the CIO doesn't have line authority over much of anything,' Mead said. That makes the job difficult to fill, so security remains poor, he said.

Only 123 of 561 mission-critical systems have undergone certification reviews, Mead said, and DOT is not on track to make the December 2005 deadline for certifying all systems.

Social Security deputy commissioner and chief operating officer James B. Lockhart III attributed SSA's success to concern for the privacy of the data it maintains, which 'has infused our culture from day one,' he said.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.